Monitoring Unix Logins
Pages: 1, 2
You can also tell the
who command to read the
/var/log/wtmp file instead of the default
who /var/log/wtmp genisis ttyv0 Feb 3 13:25 shutdown ~ Feb 3 13:30 ttyv0 Feb 3 13:30 reboot ~ Feb 3 13:31 genisis ttyv0 Feb 3 13:31 genisis ttyv1 Feb 3 13:32 genisis ttyv2 Feb 3 13:32 genisis ttyp0 Feb 3 13:34 (biko) genisis ttyv3 Feb 3 13:46 genisis ttyp1 Feb 3 15:04 (biko) genisis ttyv4 Feb 3 15:04 ttyp0 Feb 3 15:31 genisis ttyp0 Feb 3 15:56 (biko) ttyp0 Feb 3 16:00 genisis ttyp0 Feb 3 16:00 (biko) ttyp0 Feb 3 16:23 genisis ttyp0 Feb 3 16:23 (biko) ttyp0 Feb 3 16:23 genisis ttyp0 Feb 3 16:23 (biko) ttyv4 Feb 3 16:32 genisis ttyv4 Feb 3 16:32 ttyv4 Feb 3 16:32 genisis ttyv4 Feb 3 16:32 ttyp0 Feb 3 16:45 ttyp1 Feb 3 16:45 test1 ttyp0 Feb 3 16:50 (biko) test2 ttyp1 Feb 3 16:51 (biko) ttyv4 Feb 3 16:51 test3 ttyv4 Feb 3 16:51 ttyv4 Feb 3 17:36 shutdown ~ Feb 3 20:39 ttyv3 Feb 3 20:39 ttyv1 Feb 3 20:39 ttyv0 Feb 3 20:39 ttyv2 Feb 3 20:39 reboot ~ Feb 3 20:40 genisis ttyv0 Feb 3 20:40 genisis ttyv1 Feb 3 20:40 genisis ttyv2 Feb 3 20:40 genisis ttyv3 Feb 3 20:43 genisis ttyv4 Feb 4 08:25
Notice that this output also contains the times of reboots and shutdowns. On your system, the output may have been much longer, depending on how often users log in and out of your FreeBSD system. If your output is too long, you can view just the last 10 entries with the following command:
who /var/log/wtmp | tail
/var/log/wtmp makes a record for every login, logout, date change, shutdown, and reboot. You can also access the information in the
/var/log/wtmp file by using the
ac commands. Let's compare the above output to the output of the
genisis ttyv4 Sun Feb 4 08:25 still logged in
genisis ttyv3 Sat Feb 3 20:43 still logged in
genisis ttyv2 Sat Feb 3 20:40 still logged in
genisis ttyv1 Sat Feb 3 20:40 still logged in
genisis ttyv0 Sat Feb 3 20:40 still logged in
reboot ~ Sat Feb 3 20:40
shutdown ~ Sat Feb 3 20:39
test3 ttyv4 Sat Feb 3 16:51 - 17:36 (00:44)
test2 ttyp1 biko Sat Feb 3 16:51 - shutdown (03:48)
test1 ttyp0 biko Sat Feb 3 16:50 - shutdown (03:48)
genisis ttyv4 Sat Feb 3 16:32 - 16:51 (00:18)
genisis ttyv4 Sat Feb 3 16:32 - 16:32 (00:00)
genisis ttyp0 biko Sat Feb 3 16:23 - 16:45 (00:21)
genisis ttyp0 biko Sat Feb 3 16:23 - 16:23 (00:00)
genisis ttyp0 biko Sat Feb 3 16:00 - 16:23 (00:22)
genisis ttyp0 biko Sat Feb 3 15:56 - 16:00 (00:03)
genisis ttyv4 Sat Feb 3 15:04 - 16:32 (01:27)
genisis ttyp1 biko Sat Feb 3 15:04 - 16:45 (01:41)
genisis ttyv3 Sat Feb 3 13:46 - shutdown (06:52)
genisis ttyp0 biko Sat Feb 3 13:34 - 15:31 (01:57)
genisis ttyv2 Sat Feb 3 13:32 - shutdown (07:06)
genisis ttyv1 Sat Feb 3 13:32 - shutdown (07:06)
genisis ttyv0 Sat Feb 3 13:31 - shutdown (07:07)
reboot ~ Sat Feb 3 13:31
shutdown ~ Sat Feb 3 13:30
genisis ttyv0 Sat Feb 3 13:25 - shutdown (00:04)
reboot ~ Sat Feb 3 13:25
wtmp begins Sat Feb 3 13:25:04 2001
Also in FreeBSD Basics:
You'll notice that the entries are in reverse order, so you see the most recent events first. This means that if you want to limit the output to 10 lines, you should pipe it to the
head command as you wish to see the head-end of the file rather than the tail-end. That is, to only see the 10 most recent entries, type:
last | head
The last three columns are interesting as they show what time the user logged in, what time they logged out, and the duration of the login session. It also makes note if the user was forcibly logged out due to a shutdown or reboot.
last command also supports several switches; a useful switch is the word
last reboot reboot ~ Sat Feb 3 20:40 reboot ~ Sat Feb 3 13:31 reboot ~ Sat Feb 3 13:25 wtmp begins Sat Feb 3 13:25:04 2001
This will give a nice summary of the times and dates your FreeBSD system rebooted.
ac utility adds up the connection times that are recorded in
/var/log/wtmp and can be used to get a rough idea of which users are using the most connection time. If you run
ac without any switches, you'll be given a number that represents a total of all connection times contained within
ac total 165.04
To see the total number of connection hours on a daily basis:
ac -d Feb 3 total 124.42 Feb 4 total 41.52
And to see the total hours for each user for the entire period of the
ac -p test1 4.12 test2 4.11 test3 0.75 genisis 156.06 total 165.04
To summarize: The utilities
users display information contained in the file
/var/run/utmp; the utilities
ac display the information contained in
The last thing I'd like to mention in today's article is locking unused terminals. Normally when a user finishes using a terminal, he or she will logout using either the
logout command. But sometimes a user needs to leave a terminal for a few minutes before finishing a session. It is good practice to lock your terminal if you need to be away from it, and your FreeBSD system comes with the
lock utility for this purpose. If you just type
lock, you'll be prompted for a "Key" or password to unlock the terminal:
lock Key: Again: lock: /dev/ttyp0 biko timeout in 15 minutes time now is Sun Feb 4 11:48:34 EST 2001 Key:
The terminal will now be locked for either 15 minutes or until the user returns and enters the key. If you don't want to be prompted to create a key when you invoke the
lock utility, use
lock -p; your key will be your login password. If you want to lock a terminal for more than 15 minutes, use
lock -n. The only way to bypass a locked terminal is to know the key, wait for the timeout period, or to have the superuser send a kill signal to the PID of the lock process from a different terminal.
There is also a utility called
vlock that you can build using the ports collection. As the superuser and while connected to the Internet:
cd /usr/ports/security/vlock make install clean
Once the port has been installed, you can leave the superuser account. To use
vlock This TTY is now locked. Please enter the password to unlock. genisis's Password:
You'll note that this utility only uses the user's password as the key and that the terminal will be locked until a password is entered. However, the superuser can unlock this terminal directly by entering
root and then the password for the root account:
genisis's Password: (type in the word "root") root's Password:
vlock utility can also lock all the virtual terminals on a FreeBSD system without affecting network logins. If I type
vlock -a, my screen will look like this:
The entire console display is now completely locked.
You will not be able to switch to another virtual console.
Please enter the password to unlock.
At this point, my ALT Function keys no longer work and the machine is unavailable for users who physically walk up to my FreeBSD machine unless they happen to know the password for the user "genisis" or the root account. This feature is handy if your FreeBSD box is acting as a server as it will still accept network logins.
In next week's article, I'd like to shift gears a bit and talk about
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Discuss this article in the Operating Systems Forum.
Return to the BSD DevCenter.